demetri08
asked on
ASA 5520 xlate
I'm replacing an old 2651 with a ASA 5520 with 8.0(3). I'm new at this, but have pieced it together so that it seems to work and test out OK; however, once I place it on my network most users experience symptoms of congestion. If I do a clear xlate it will clear up for a minute or so. Below is the config and output of some commands with only a few clients on--not when the entire network is behind it.
The ASA goes to a Packeteer 7500>Bluecoat Proxy>L3 4503 switch. Proxy and Packeteer are transparent--just for filtering and shaping.
The ASA goes to a Packeteer 7500>Bluecoat Proxy>L3 4503 switch. Proxy and Packeteer are transparent--just for filtering and shaping.
:
ASA Version 8.0(3)
!
hostname XYZABC
domain-name AAA
enable password X1ukmNQg/PUDAkLR encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xx.xxx.xx.93 255.255.255.240
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.240
!
interface GigabitEthernet0/2.110
description Main Office Interface
vlan 11
nameif Main
security-level 100
ip address 10.6.0.3 255.255.255.224
!
interface GigabitEthernet0/2.120
description CW Interface
vlan 12
nameif CW
security-level 100
ip address 10.6.0.35 255.255.255.240
!
interface GigabitEthernet0/2.130
description HN Interface
vlan 13
nameif HN
security-level 100
ip address 10.6.1.3 255.255.255.248
!
interface GigabitEthernet0/2.140
description TMDE Interface
vlan 14
nameif TMDE
security-level 100
ip address 10.6.3.3 255.255.255.240
!
interface GigabitEthernet0/2.200
description Standard Interface
vlan 2
nameif Standard
security-level 100
ip address 10.1.0.3 255.255.128.0
!
interface GigabitEthernet0/2.300
description VOIP Interface
vlan 3
nameif VOIP
security-level 100
ip address 10.4.0.3 255.255.128.0
!
interface GigabitEthernet0/2.500
description Corporate Interface
vlan 5
nameif Corporate
security-level 100
ip address 10.3.0.3 255.255.240.0
!
interface GigabitEthernet0/2.600
description Equipment Interface
vlan 6
nameif Equipment
security-level 100
ip address 10.5.0.3 255.255.252.0
!
interface GigabitEthernet0/2.700
description Staff Interface
vlan 7
nameif Staff
security-level 100
ip address 10.6.2.3 255.255.255.192
!
interface GigabitEthernet0/3
description DMZ Interface
nameif DMZ
security-level 40
ip address 10.10.10.1 255.255.255.240
!
interface Management0/0
nameif MGT
security-level 100
ip address 172.16.0.1 255.255.255.240
management-only
!
passwd 0jESGTKLXB.nb7sY encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name aaa
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat_outbound extended permit ip host 10.0.0.9 10.10.10.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu MGT 1500
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu Standard 1500
mtu VOIP 1500
mtu Corporate 1500
mtu Equipment 1500
mtu Staff 1500
mtu Main 1500
mtu CW 1500
mtu HN 1500
mtu TMDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 77.246.72.87 netmask 255.0.0.0
global (outside) 101 77.246.72.88 netmask 255.0.0.0
global (outside) 101 77.246.72.85 netmask 255.0.0.0
global (outside) 101 77.246.72.86 netmask 255.0.0.0
global (outside) 101 77.246.72.89 netmask 255.0.0.0
global (DMZ) 202 10.10.10.9-10.10.10.11 netmask 255.0.0.0
nat (inside) 202 access-list inside_nat_outbound
nat (inside) 101 10.6.1.0 255.255.255.248
nat (inside) 101 10.6.0.32 255.255.255.240
nat (inside) 101 10.6.3.0 255.255.255.240
nat (inside) 101 10.6.0.0 255.255.255.224
nat (inside) 101 10.6.2.0 255.255.255.192
nat (inside) 101 10.5.0.0 255.255.252.0
nat (inside) 101 10.3.0.0 255.255.240.0
nat (inside) 101 10.1.0.0 255.255.128.0
static (DMZ,outside) 77.246.72.90 10.10.10.6 netmask 255.255.255.255
static (DMZ,outside) 77.246.72.83 10.10.10.5 netmask 255.255.255.255
static (DMZ,outside) 77.246.72.84 10.10.10.3 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 77.246.72.81 1
route inside 10.1.0.0 255.255.128.0 10.0.0.2 1
route inside 10.3.0.0 255.255.240.0 10.0.0.2 1
route inside 10.5.0.0 255.255.252.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.10.9 255.255.255.255 DMZ
http 10.0.0.9 255.255.255.255 inside
http 172.16.0.0 255.255.255.248 MGT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 172.16.0.2 255.255.255.255 MGT
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.0.2-172.16.0.6 MGT
dhcpd dns 198.6.1.5 interface MGT
dhcpd enable MGT
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9c577be224a2cb3c98f0e7ecd797436e
: end
xyzabc# sh xlate
3 in use, 2070 most used
Global XX.XXX.XX.90 Local 10.10.10.6
Global XX.XXX.XX.83 Local 10.10.10.5
Global XX.XXX.XX.84 Local 10.10.10.3
xyzabc# sh xlate
11 in use, 2070 most used
Global XXX.XXX.XX.90 Local 10.10.10.6
Global XX.XXX.XX.83 Local 10.10.10.5
Global XX.XXX.XX.84 Local 10.10.10.3
PAT Global XXX.XXX.XX.87(1063) Local 10.1.0.9(3552)
PAT Global XXX.XXX.XX.87(1059) Local 10.1.0.9(58957)
PAT Global XXX.XXX.XX.87(1062) Local 10.1.0.9(3551)
PAT Global XXX.XXX.XX.87(1058) Local 10.1.0.9(57605)
PAT Global XXX.XXX.XX.87(1061) Local 10.1.0.9(3550)
PAT Global XXX.XXX.XX.87(1057) Local 10.1.0.9(54839)
PAT Global XXX.XXX.XX.87(1060) Local 10.1.0.9(3549)
PAT Global XXX.XXX.XX.87(1056) Local 10.1.0.9(49867)
xyzabc# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is XX.XXX.XX.81 to network 0.0.0.0
C 172.16.0.0 255.255.255.240 is directly connected, MGT
C XX.XXX.XX.80 255.255.255.240 is directly connected, outside
C 10.3.0.0 255.255.240.0 is directly connected, Corporate
C 10.0.0.0 255.255.255.240 is directly connected, inside
C 10.10.10.0 255.255.255.240 is directly connected, DMZ
C 10.1.0.0 255.255.128.0 is directly connected, Standard
C 10.6.0.0 255.255.255.224 is directly connected, Main
C 10.6.1.0 255.255.255.248 is directly connected, HN
C 10.6.2.0 255.255.255.192 is directly connected, Staff
C 10.4.0.0 255.255.128.0 is directly connected, VOIP
C 10.6.3.0 255.255.255.240 is directly connected, TMDE
C 10.5.0.0 255.255.252.0 is directly connected, Equipment
C 10.6.0.32 255.255.255.240 is directly connected, CW
S* 0.0.0.0 0.0.0.0 [1/0] via 77.246.72.81, outside
xyzabc# sh conn
6 in use, 4255 most used
TCP out 75.65.216.108:6667 in 10.10.10.6:1225 idle 0:00:02 bytes 2284506 flags UIO
TCP out 74.125.95.102:80 in 10.1.0.9:3552 idle 0:00:03 bytes 762 flags UFRIO
TCP out 207.46.192.254:80 in 10.1.0.9:3549 idle 0:00:35 bytes 1582 flags UIO
WISP-ASA# sh perfmon
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCP Intercept 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
xyzabc# sh int
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
MAC address 001e.f762.9570, MTU 1500
IP address XX.XXX.XX.93, subnet mask 255.255.255.240
1881799 packets input, 1319211423 bytes, 0 no buffer
Received 23725 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
1181707 packets output, 177008162 bytes, 0 underruns
0 output errors, 0 collisions, 6 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/17) software (0/0)
output queue (curr/max packets): hardware (0/6) software (0/0)
Traffic Statistics for "outside":
18179 packets input, 9086736 bytes
11112 packets output, 813789 bytes
3433 packets dropped
1 minute input rate 0 pkts/sec, 231 bytes/sec
1 minute output rate 0 pkts/sec, 16 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 387 bytes/sec
5 minute output rate 0 pkts/sec, 36 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/1 "", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001e.f762.9571, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Interface GigabitEthernet0/2 "inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Half-duplex), Auto-Speed(10 Mbps)
MAC address 001e.f762.9572, MTU 1500
IP address 10.0.0.1, subnet mask 255.255.255.240
1152565 packets input, 177452838 bytes, 0 no buffer
Received 49251 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
1645918 packets output, 1061022910 bytes, 7 underruns
0 output errors, 324 collisions, 10 interface resets
0 late collisions, 15 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (3/33) software (0/0)
output queue (curr/max packets): hardware (0/5) software (0/0)
Traffic Statistics for "inside":
5895 packets input, 639799 bytes
5611 packets output, 4809065 bytes
1093 packets dropped
1 minute input rate 0 pkts/sec, 4 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 37 bytes/sec
5 minute output rate 0 pkts/sec, 245 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface GigabitEthernet0/2.110 "Main", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 11
Description: Main Office Interface
MAC address 001e.f762.9572, MTU 1500
IP address 10.6.0.3, subnet mask 255.255.255.224
Traffic Statistics for "Main":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
Interface GigabitEthernet0/2.120 "CW", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 12
Description: CW Interface
MAC address 001e.f762.9572, MTU 1500
IP address 10.6.0.35, subnet mask 255.255.255.240
Traffic Statistics for "CW":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
Interface GigabitEthernet0/2.130 "HN", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 13
Description: HN Interface
MAC address 001e.f762.9572, MTU 1500
IP address 10.6.1.3, subnet mask 255.255.255.248
Traffic Statistics for "HN":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
Interface GigabitEthernet0/2.140 "TMDE", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 14
Description: TMDE Interface
MAC address 001e.f762.9572, MTU 1500
IP address 10.6.3.3, subnet mask 255.255.255.240
Traffic Statistics for "TMDE":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
Interface GigabitEthernet0/2.200 "Standard", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 2
Description: Standard Interface
MAC address 001e.f762.9572, MTU 1500
IP address 10.1.0.3, subnet mask 255.255.128.0
Traffic Statistics for "Standard":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
Interface GigabitEthernet0/2.300 "VOIP", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 3
Description: VOIP Interface
MAC address 001e.f762.9572, MTU 1500
IP address 10.4.0.3, subnet mask 255.255.128.0
Traffic Statistics for "VOIP":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
Interface GigabitEthernet0/2.500 "Corporate", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 5
Description: Corporate Interface
MAC address 001e.f762.9572, MTU 1500
IP address 10.3.0.3, subnet mask 255.255.240.0
Traffic Statistics for "Corporate":
1 packets input, 40 bytes
1 packets output, 40 bytes
1 packets dropped
Interface GigabitEthernet0/2.600 "Equipment", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 6
Description: Equipment Interface
MAC address 001e.f762.9572, MTU 1500
IP address 10.5.0.3, subnet mask 255.255.252.0
Traffic Statistics for "Equipment":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
Interface GigabitEthernet0/2.700 "Staff", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
VLAN identifier 7
Description: Staff Interface
MAC address 001e.f762.9572, MTU 1500
IP address 10.6.2.3, subnet mask 255.255.255.192
Traffic Statistics for "Staff":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
Interface GigabitEthernet0/3 "DMZ", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Description: DMZ Interface
MAC address 001e.f762.9573, MTU 1500
IP address 10.10.10.1, subnet mask 255.255.255.240
1116010 packets input, 79427748 bytes, 8440 no buffer
Received 7009 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
1081713 packets output, 179228376 bytes, 4639 underruns
0 output errors, 0 collisions, 5 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (1/33) software (0/0)
output queue (curr/max packets): hardware (0/3) software (0/0)
Traffic Statistics for "DMZ":
6794 packets input, 1070221 bytes
9756 packets output, 3530205 bytes
729 packets dropped
1 minute input rate 0 pkts/sec, 10 bytes/sec
1 minute output rate 0 pkts/sec, 131 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 7 bytes/sec
5 minute output rate 0 pkts/sec, 96 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Management0/0 "MGT", is up, line protocol is up
Hardware is i82557, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 001e.f762.956f, MTU 1500
IP address 172.16.0.1, subnet mask 255.255.255.240
69436 packets input, 4754010 bytes, 0 no buffer
Received 1777 broadcasts, 0 runts, 0 giants
23 input errors, 0 CRC, 0 frame, 23 overrun, 0 ignored, 0 abort
0 L2 decode drops
60385 packets output, 21204383 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/1) software (103/187)
output queue (curr/max packets): hardware (128/128) software (5848/5848)
Traffic Statistics for "MGT":
69196 packets input, 3441005 bytes
66244 packets output, 20346909 bytes
11197 packets dropped
1 minute input rate 82 pkts/sec, 3327 bytes/sec
1 minute output rate 91 pkts/sec, 4386 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 4 pkts/sec, 214 bytes/sec
5 minute output rate 3 pkts/sec, 862 bytes/sec
5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 5390 through-the-device packets
just my 2 cents.
ASKER
understood, but the ASA should be capable of the routing and NATing required to take over the functions of the existing router.....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, did that and will try it out soon. any other areas of the config that would be advisable to re-do? Thanks....
I hope your transparent proxy and the Packeteer support trunking through them and can see all of the vlans.
You have static routes to networks that are directly connected. You can remove these
route inside 10.1.0.0 255.255.128.0 10.0.0.2 1
route inside 10.3.0.0 255.255.240.0 10.0.0.2 1
route inside 10.5.0.0 255.255.252.0 10.0.0.2 1
To route between interfaces you going to have to disable nat control
no nat-control
You have static routes to networks that are directly connected. You can remove these
route inside 10.1.0.0 255.255.128.0 10.0.0.2 1
route inside 10.3.0.0 255.255.240.0 10.0.0.2 1
route inside 10.5.0.0 255.255.252.0 10.0.0.2 1
To route between interfaces you going to have to disable nat control
no nat-control
ASKER
for the networks that are 'directly connected' they are actually vlans that are directly connected to the 4503 which is 10.0.0.2 (in the native vlan for the Inside interface of the ASA). i thought this was required for routes that are not directly connected. i'm clearly not understanding this...also, when i try to remove them, it says i connot remove a route that is directly connected...
If you have an interface, such as vlan subifs on the asa, you should not add static routes pointing those networks to somewhere else.
That's correct. The ASA can have several different kinds of routes and it determines which one to use first for a particular location based on its "administrative distance" (which basically means reliability). When you have a network that is defined on the ASA (such as a VLAN or subinterface), that is counted as a CONNECTED (or local) route. Other types such as static and others fall into place after this. If you have a network defined in one of the above ways, it has a route in the ASA by default.
You can view currently active routes by running a sh route command.
Cheers! Let me know if you have any questions!
You can view currently active routes by running a sh route command.
Cheers! Let me know if you have any questions!
ASKER
OK. I originally had the networks configured as static routes back to 10.0.0.2, the gateway for them--and I did not have them configured as VLANs/subinterfaces. I made that change after seeing a large number of L2 decode drops on the Inside interface. So, I'll keep them as vlans and remove the routes I added....
Cool! Any questions?
ASKER
i did everything advised, but still had issues when i connected it to the transparent bandwidth manager/proxy and 4503 L3 Switch. I now have it connected to the switch directly and am using a test subnet to try and troubleshoot. I set different macs or each vlan/subinterface on g 0/2. This impacted it, as i immediately saw more hosts/broadcats on the asdm log. any way to check whether my switch supports the sharing of one mac for multiple vlans? also, must i have security license plus to support mode? with the subinterfaces configured as they are it has the correct native vlan and all other vlans match up. however, i guess this won't do much if it doesn't trunk/tag the vlans. thanks in advance....
which switch is it?
Also, 5520 doesn't have a security plus license - those features are already there.
As far as VLANs and subinterfaces on the ASA go, it's usually easier to have as few as possible interfaces on the ASA (use VLANs only for traffic management such as DMZ/inside/etc) because it causes complications.
Try to put all of your VLANs on your switches only and then either put in static routes on the ASA for those VLANs or run a dynamic routing protocol like EIGRP, OSPF, or RIP.
V. 8.x of ASA software will run those protocols, 7.x will only run RIP and OSPF.
Cheers! Let me know if you have any questions!
Also, 5520 doesn't have a security plus license - those features are already there.
As far as VLANs and subinterfaces on the ASA go, it's usually easier to have as few as possible interfaces on the ASA (use VLANs only for traffic management such as DMZ/inside/etc) because it causes complications.
Try to put all of your VLANs on your switches only and then either put in static routes on the ASA for those VLANs or run a dynamic routing protocol like EIGRP, OSPF, or RIP.
V. 8.x of ASA software will run those protocols, 7.x will only run RIP and OSPF.
Cheers! Let me know if you have any questions!
ASKER
ok I'll try that now. I had it that way before, but i was getting a large amount of L2 decode errors. Any insight as to why that would be? they were all errors on the Inside interface (inside=physical interface where all the vlans were setup as subinterfaces).
Hmmm... interference with the cables maybe? Bad cables? Duplex mismatches?
What kind of switch?
What kind of switch?
You should replace you 2651 router with another router in front of your firewall.